From 890178acb072ed348aa624a2490a9a5763c041e9 Mon Sep 17 00:00:00 2001 From: rcourtman Date: Mon, 1 Dec 2025 23:33:11 +0000 Subject: [PATCH] test: Add edge case for RequireScope empty scope Empty scope should allow all requests through without checking token. Coverage: 84.6% to 100%. --- internal/api/auth_scope_test.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/internal/api/auth_scope_test.go b/internal/api/auth_scope_test.go index 84aa705..e0df099 100644 --- a/internal/api/auth_scope_test.go +++ b/internal/api/auth_scope_test.go @@ -24,6 +24,25 @@ func TestRequireScopeAllowsSession(t *testing.T) { } } +func TestRequireScopeEmptyScopeAllowsAll(t *testing.T) { + // Empty scope should allow all requests through without checking token + handler := RequireScope("", func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + }) + + req := httptest.NewRequest(http.MethodGet, "/", nil) + // Attach a token with no scopes - should still be allowed through + record := config.APITokenRecord{ID: "token-empty", Scopes: []string{}} + attachAPITokenRecord(req, &record) + + rr := httptest.NewRecorder() + handler(rr, req) + + if rr.Code != http.StatusOK { + t.Fatalf("expected status 200 when scope is empty, got %d", rr.Code) + } +} + func TestRequireScopeRejectsMissingScope(t *testing.T) { handler := RequireScope(config.ScopeSettingsWrite, func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK)